As an Operator, you can add or modify the values of the system properties.
The following tables describe some of the system properties. As an Operator, you can set the values for these properties.
- Alert Emails
- Alerts
- Certificate Authority
- Data Retention
- Edges
- Edge Activation
- Monitoring
- Notifications
- Password Reset and Lockout
- Rate Limiting APIs
- Remote Diagnostics
- Self-service Password Reset
- Two-factor Authentication
- VNF Configuration
- VPN
System Property | Description |
---|---|
vco.alert.mail.to | When an alert is triggered, a notification is sent immediately to the list of Email addresses provided in the Value field of this system property. You can enter multiple Email IDs separated by commas. If the property does not contain any value, then the notification is not sent. The notification is meant to alert VMware support / operations personnel of impending issues before notifying the customer. |
vco.alert.mail.cc | When alert emails are sent to any customer, a copy is sent to the Email addresses provided in the Value field of this system property. You can enter multiple Email IDs separated by commas. |
mail.* | There are multiple system properties available to control the Alert Emails. You can define the Email parameters like SMTP properties, username, password, and so on. |
System Property | Description |
---|---|
vco.alert.enable | Globally enables or disables the generation of alerts for both Operators and Enterprise customers. |
vco.enterprise.alert.enable | Globally enables or disables the generation of alerts for Enterprise customers. |
vco.operator.alert.enable | Globally enables or disables the generation of alerts for Operators. |
System Property | Description |
---|---|
edge.certificate.renewal.window | This optional system property allows the Operator to define one or more maintenance windows during which the Edge certificate renewal is enabled. Certificates scheduled for renewal outside of the windows will be deferred until the current time falls within one of the enabled windows. Enable System Property: To enable this system property, type "true" for "enabled" in the first part of the Value text area in the Modify System Property dialog box. An example of the first part of this system property when it is enabled is shown below. Operators can define multiple windows to restrict the days and hours of the day during which Edge renewals are enabled. Each window can be defined by a day, or a list of days (separated by a comma), and a start and end time. Start and end times can be specified relative to an Edge's local time zone, or relative to UTC. See image below for an example.
Note: If attributes are not present, the default is enabled "false."
When defining window attributes, adhere to the following:
If the above-mentioned values are missing, the attribute defaults in each window definition are as follow:
Disable System Property: This system property is disabled by default, which means the certificate will automatically renew after it expires. "Enabled" will be set to "false in the first part of the Value text area in the Modify System Property dialog box. An example of this property when it is disabled is shown below. { "enabled": false, "windows": [ { NOTE: This system property requires that PKI be enabled. |
gateway.certificate.renewal.window | This optional system property allows the Operator to define one or more maintenance windows during which the Gateway certificate renewal is enabled. Certificates scheduled for renewal outside of the windows will be deferred until the current time falls within one of the enabled windows. Enable System Property: To enable this system property, type "true" for "enabled" in the first part of the Value text area in the Modify System Property dialog box. See image below for an example. Operators can define multiple windows to restrict the days and hours of the day during which edge renewals are enabled. Each window can be defined by a day, or list of days (separated by a comma), and a start and end time. Start and end times can be specified relative to an edge's local timezone, or relative to UTC. See image below for an example.
Note: If attributes are not present, the default is enabled "false."
When defining window attributes, adhere to the following:
If the above-mentioned values are missing, the attribute defaults in each window definition are as follow:
Disable System Property: This system property is disabled by default, which means the certificate will automatically renew after it expires. "Enabled" will be set to "false in the first part of the Value text area in the Modify System Property dialog box. An example of this property when it is disabled is shown below. { "enabled": false, "windows": [ { NOTE: This system property requires that PKI be enabled. |
System Property | Description |
---|---|
retention.highResFlows.days | This system property enables Operators to configure high resolution flow stats data retention anywhere between 1 and 90 days. |
retention.lowResFlows.months | This system property enables Operators to configure low resolution flow stats data retention anywhere between 1 and 365 days. |
session.options.maxFlowstatsRetentionDays | This property enables Operators to query more than two weeks of flows stats data. |
System Property | Description |
---|---|
edge.offline.limit.sec | If the Orchestrator does not detect a heartbeat from an Edge for the specified duration, then the state of the Edge is moved to OFFLINE mode. |
edge.link.unstable.limit.sec | When the Orchestrator does not receive link statistics for a link for the specified duration, the link is moved to UNSTABLE mode. |
edge.link.disconnected.limit.sec | When the Orchestrator does not receive link statistics for a link for the specified duration, the link is disconnected. |
edge.deadbeat.limit.days | If an Edge is not active for the specified number of days, then the Edge is not considered for generating Alerts. |
vco.operator.alert.edgeLinkEvent.enable | Globally enables or disables Operator Alerts for Edge Link events. |
vco.operator.alert.edgeLiveness.enable | Globally enables or disables Operator Alerts for Edge Liveness events. |
System Property | Description |
---|---|
edge.activation.key.encode.enable | Base64 encodes the activation URL parameters to obscure values when the Edge Activation Email is sent to the Site Contact. |
edge.activation.trustedIssuerReset.enable | Resets the trusted certificate issuer list of the Edge to contain only the Orchestrator Certificate Authority. All TLS traffic from the edge are restricted by the new issuer list. |
network.public.certificate.issuer | Set the value of network.public.certificate.issuer equal to the PEM encoding of the issuer of Orchestrator server certificate, when edge.activation.trustedIssuerReset.enable is set to True. This will add the server certificate issuer to the trusted issuer of the Edge, in addition to the Orchestrator Certificate Authority. |
System Property | Description |
---|---|
vco.monitor.enable | Globally enables or disables monitoring of Enterprise and Operator entity states. Setting the Value to False prevents SD-WAN Orchestrator from changing entity states and triggering alerts. |
vco.enterprise.monitor.enable | Globally enables or disables monitoring of Enterprise entity states. |
vco.operator.monitor.enable | Globally enables or disables monitoring of Operator entity states. |
System Property | Description |
---|---|
vco.notification.enable | Globally enables or disables the delivery of Alert notifications to both Operator and Enterprises. |
vco.enterprise.notification.enable | Globally enables or disables the delivery of Alert notifications to the Enterprises. |
vco.operator.notification.enable | Globally enables or disables the delivery of Alert notifications to the Operator. |
System Property | Description |
---|---|
vco.enterprise.resetPassword.token.expirySeconds | Duration of time, after which the password reset link for an enterprise user expires. |
vco.enterprise.authentication.passwordPolicy | Defines the password expiration and password history policy for enterprise users. Edit the JSON template in the Value field to define the following:
expiry:
history:
|
enterprise.user.lockout.defaultAttempts | Number of times the enterprise user can attempt to login. If the login fails for the specified number of times, the account is locked. |
enterprise.user.lockout.defaultDurationSeconds | Duration of time, for which the enterprise user account is locked. |
enterprise.user.lockout.enabled | Enables or disables the lockout option for the enterprise login failures. |
vco.operator.resetPassword.token.expirySeconds | Duration of time, after which the password reset link for an Operator user expires. |
vco.operator.authentication.passwordPolicy | Defines the password expiration and password history policy for Operator users. Edit the JSON template in the Value field to define the following:
expiry:
history:
|
operator.user.lockout.defaultAttempts | Number of times the Operator user can attempt to login. If the login fails for the specified number of times, the account is locked. |
operator.user.lockout.defaultDurationSeconds | Duration of time, for which the Operator user account is locked. |
operator.user.lockout.enabled | Enables or disables the lockout option for the Operator login failures. |
System Property | Description |
---|---|
vco.api.rateLimit.enabled | Allows Operator Super users enable or disable the rate limiting feature at the system level. By default, the value is False.
Note: The rate-limiter is not enabled in earnest, that is, it will not reject API requests that exceed the configured limits, unless the
vco.api.rateLimit.mode.logOnly setting is disabled.
|
vco.api.rateLimit.mode.logOnly | Allows Operator Super user to use rate limit in a LOG_ONLY mode. When the value is set as True and if a rate limit exceeds, this option logs only the error and fires respective metrics allowing clients to make requests without rate limiting. When the value is set to False, the request API is restricted with defined policies and HTTP 429 is returned. |
vco.api.rateLimit.rules.global | Allows to define a set of globally applicable policies used by the rate-limiter, in a JSON array. By default, the value is an empty array. Each type of user (Operator, Partner, and Customer) can make up to 500 requests for every 5 seconds. The number of requests is subject to change based on the behavior pattern of the rate limited requests. The JSON array consists of the following parameters:
Types: The type objects represent different contexts in which the rate limits are applied. The following are the different type objects that are available:
Policies: Add rules to the policies to apply the requests that match the rule, by configuring the following parameters:
Enabled: Each type limit can be enabled or disabled by including the enabled key in APIRateLimiterTypeObject. By default, the value of enabled is True, even if the key is not included. You need to include "enabled": false key to disable the individual type limits. The following example shows a sample JSON file with default values: [ { "type": "OPERATOR_USER", "policies": [ { "match": { "type": "ALL" }, "rules": { "reservoir": 500, "reservoirRefreshAmount": 500, "reservoirRefreshInterval": 5000 } } ] }, { "type": "MSP_USER", "policies": [ { "match": { "type": "ALL" }, "rules": { "reservoir": 500, "reservoirRefreshAmount": 500, "reservoirRefreshInterval": 5000 } } ] }, { "type": "ENTERPRISE_USER", "policies": [ { "match": { "type": "ALL" }, "rules": { "reservoir": 500, "reservoirRefreshAmount": 500, "reservoirRefreshInterval": 5000 } } ] } ]
Note: It is recommended not to change the default values of the configuration parameters.
|
vco.api.rateLimit.rules.enterprise.default | Comprises the default set of Enterprise-specific policies applied to newly created Customers. The Customer-specific properties are stored in the Enterprise property vco.api.rateLimit.rules.enterprise. |
vco.api.rateLimit.rules.enterpriseProxy.default | Comprises the default set of Enterprise-specific policies applied to newly created Partners. The Partner-specific properties are stored in the Enterprise proxy property vco.api.rateLimit.rules.enterpriseProxy. |
For more information on Rate limiting, see Rate Limiting API Requests.
System Property | Description |
---|---|
network.public.address | Specifies the browser origin address/DNS hostname that is used to access the SD-WAN Orchestrator UI. |
network.portal.websocket.address | Allows to set an alternate DNS hostname/address to access the SD-WAN Orchestrator UI from a browser, if the browser address is not the same as the value of network.public.address system property. As remote diagnostics now uses a WebSocket connection, to ensure web security, the browser origin address that is used to access the Orchestrator UI is validated for incoming requests. In most cases, this address is same as the |
session.options.websocket.portal.idle.timeout | Allows to set the total amount of time (in seconds) the browser WebSocket connection is active in an idle state. By default, the browser WebSocket connection is active for 300 seconds in an idle state. |
System Property | Description |
---|---|
vco.enterprise.resetPassword.twoFactor.mode | Defines the mode for the second level for password reset authentication, for all the Enterprise users. Currently, only the SMS mode is supported. |
vco.enterprise.resetPassword.twoFactor.required | Enables or disables the two-factor authentication for password reset of Enterprise users. |
vco.enterprise.selfResetPassword.enabled | Enables or disables self-service password reset for Enterprise users. |
vco.enterprise.selfResetPassword.token.expirySeconds | Duration of time, after which the self-service password reset link for an Enterprise user expires. |
vco.operator.resetPassword.twoFactor.required | Enables or disables the two-factor authentication for password reset of Operator users. |
vco.operator.selfResetPassword.enabled | Enables or disables self-service password reset for Operator users. |
vco.operator.selfResetPassword.token.expirySeconds | Duration of time, after which the self-service password reset link for an Operator user expires. |
System Property | Description |
---|---|
vco.enterprise.authentication.twoFactor.enable | Enables or disables the two-factor authentication for Enterprise users. |
vco.enterprise.authentication.twoFactor.mode | Defines the mode for the second level authentication for Enterprise users. Currently, only SMS is supported as the second level authentication mode. |
vco.enterprise.authentication.twoFactor.require | Defines the two-factor authentication as mandatory for Enterprise users. |
vco.operator.authentication.twoFactor.enable | Enables or disables the two-factor authentication for Operator users. |
vco.operator.authentication.twoFactor.mode | Defines the mode for the second level authentication for Operator users. Currently, only SMS is supported as the second level authentication mode. |
vco.operator.authentication.twoFactor.require | Defines the two-factor authentication as mandatory for Operator users. |
System Property | Description |
---|---|
edge.vnf.extraImageInfos | Defines the properties of a VNF Image.
You can enter the following information for a VNF Image, in JSON format in the
Value field:
[ { "vendor": "Vendor Name", "version": "VNF Image Version", "checksum": "VNF Checksum Value", "checksumType": "VNF Checksum Type" } ]
Example of JSON file for Check Point Firewall Image:
[ { "vendor": "checkPoint", "version": "r80.40_no_workaround_46", "checksum": "bc9b06376cdbf210cad8202d728f1602b79cfd7d", "checksumType": "sha-1" } ]
Example os JSON file for Fortinet Firewall Image:
[ { "vendor": "fortinet", "version": "624", "checksum": "6d9e2939b8a4a02de499528c745d76bf75f9821f", "checksumType": "sha-1" } ] |
edge.vnf.metric.record.limit | Defines the number of records to be stored in the database |
enterprise.capability.edgeVnfs.enable | Enables VNF deployment on supported Edge models. |
enterprise.capability.edgeVnfs.securityVnf.checkPoint | Enables Check Point Networks Firewall VNF |
enterprise.capability.edgeVnfs.securityVnf.fortinet | Enables Fortinet Networks Firewall VNF |
enterprise.capability.edgeVnfs.securityVnf.paloAlto | Enable Palo Alto Networks Firewall VNF |
session.options.enableVnf | Enables VNF feature |
vco.operator.alert.edgeVnfEvent.enable | Enables or disables Operator alerts for Edge VNF events globally. |
vco.operator.alert.edgeVnfInsertionEvent.enable | Enables or disables Operator alerts for Edge VNF Insertion events globally. |
System Property | Description |
---|---|
vpn.disconnect.wait.sec | The time interval for the system to wait before disconnecting a VPN tunnel. |
vpn.reconnect.wait.sec | The time interval for the system to wait before reconnecting a VPN tunnel. |